Adding an EULA for AAA Login

By Sam Jacobs posted 01-23-2017 06:56 AM


With the release of NetScaler version 11, administrators have the option of configuring an End User License Agreement (EULA) that users must accept before being allowed to log on to the NetScaler. Configuring the EULA adds a checkbox to the logon page:

CUGC EULA 1.png 

Note that the Log On button is grayed out until the EULA is accepted. The exact wording (what the user sees when clicking on the Terms and Conditions hyperlink) are configured by the administrator.

1) To create the EULA using the GUI, go to NetScaler > NetScaler Gateway > Resources > EULA (If you’ve already created and globally bound your EULA, skip to step 11).
 CUGC EULA 2.png
2) Click Add.

 CUGC EULA 3.png

3) Give your EULA a name (you can have multiple EULAs and switch between them), enter the text of the EULA, and click OK. Note that you can enter HTML codes to format your text.

4) Now, if we wanted the EULA for a specific Access Gateway vServer, we would bind the EULA under the Advanced Settings of the gateway vServer.

 CUGC EULA 4.png

Here, however, we want to bind the EULA globally, so we head over to NetScaler > NetScaler Gateway > Global Settings.

CUGC EULA 5.png 
5) Click on Configure an End User License Agreement.

CUGC EULA 6.png 

6) Click Add Binding.

CUGC EULA 7.png 
7) Click to select the EULA.

CUGC EULA 8.png 
8) Select the EULA you just created...

CUGC EULA 9.png 
9) ... and click Bind.

CUGC EULA 10.png 

10) The EULA is now bound globally. Click Close.

11) If you browse to the FQDN of your gateway vServer, you should now see the screen shown at the top of the post. Note: If you don’t see the checkbox and hyperlink, see step 15 below.

12) If you click on the Terms and Conditions hyperlink, you should see:

CUGC EULA 11.png 

Notice that I specifically said the FQDN of your gateway vServer. Since the EULA is bound globally, you would expect to see the same thing for an AAA login page (you can see what an AAA login page looks like by simply replacing index.html in the URL with tmindex.html). While the actual login page looks the same, clicking on the Terms and Conditions hyperlink for the AAA login page shows:

CUGC EULA 12.png 

What happened? It seems that there is an "unanticipated feature" (a "bug" in layman’s terms) in the AAA logic. Is there a workaround? Of course there is (or I wouldn’t be writing this post! :))

13) Using your favorite SCP editor, go to the /resources directory of the theme you are using, and make a backup of the language XML file(s) that you are using (e.g. en.xml for English). Open up the XML file and look for Partition id="logon" (which contains the text strings for the logon page).

CUGC EULA 13.png 

Now, the id for the EULA text is agreement, so to add the EULA, we need to add a line containing that id to the file. Since the entire string must be contained on a single line, if you wish to keep the same formatting as above, you might be tempted to simply add the following line:

CUGC EULA 14.png 

Unfortunately, the above will not accomplish what you want. In fact, if you browse to the FQDN of the site, you will now see only:

CUGC EULA 15.png 

Yup ... just a blank page. That’s because you need to HTML-encode the < and > symbols.

14) Simply replacing each < (less than symbol) with < and each > (greater than symbol) with > (the semi-colon is mandatory) will do the trick. So the final line will look like:

CUGC EULA 16.png 

15) It has come to my attention that certain versions of the NetScaler may not display the EULA checkbox and hyperlink, even if the EULA is bound globally. If this is the case, you will need to make a source-code modification to one of the JavaScript files.

Disclaimer: Source-code modifications are not supported by Citrix Support, and you may be asked to reverse any changes made. The below modification is provided as is. There is no guarantee that it will work in your environment. Test out any changes on a non-production system first, and keep a backup copy of the original file(s).

16) Make a backup copy of /netscaler/ns_gui/vpn/js/tmindex_view.js. Open the file and search for the highlighted line below:

CUGC EULA 17.png 

17) Insert the highlighted line:

CUGC EULA 18.png 

18) Save the file. Clear your cache and refresh the page (you may need to wait 2 mins for the NetScaler cache to purge). You should now see the checkbox and hyperlink.

19) In order to survive a reboot, you will also need to copy the modified tmindex_view.js file to /var/vpn/vpn/js (if the /js directory does not exist, create it).

20) If the NetScaler is part of an HA pair, you will need to copy the modified file into both directories of the secondary appliance, as source-level modifications are not synched between node.

Sam Jacobs is the Director of Technology Development at IPM, the longest standing Citrix Platinum Partner on the East Coast. With more than 25 years of IT consulting experience, Sam is a NetScaler customizations and integrations industry expert. He holds Microsoft MCSD, Citrix CCP-M and CCP-N certifications, and is a frequent presenter at Citrix Synergy and other IT conferences. He is one of the top Citrix support Forum contributors, and has earned industry praise for the tools he has developed to make NetScaler, StoreFront and Web Interface easier to manage for administrators and more intuitive for end users. Sam became a Citrix Technology Professional (CTP) in 2015. He may be reached at: or on Twitter at: @WIGuru.